Saturday, April 23, 2016

On February 4, 2016, more than $100 Million USD were stolen from the Bank of Bangladesh's foreign exchange reserves housed at the Federal Reserve Bank in New York. The hackers had actually attempted to steal US$951 Million, in a series of three dozen SWIFT wire transfers, but were thwarted when an alert staff member found some suspicious misspellings in the name of the organization used for the fifth transfer. Five transfers were completed totaling US$101 Million, although a $20M transfer to a non-profit organization in Sri Lanka was reversed due to the spelling error, which called them "Shalika Fandation" instead of "Foundation," causing a deeper look at the transfer, and stopping an additional US$850 Million of queued transfers to other organizations. Stealing $1 Billion is huge, but especially for Bangladesh, whose total foreign currency holdings are $27 Billion.

The four successful transfers, totaling US$81 Million were sent to an account in the Philippines at Rizal Commercial Banking Corporation. Hearings held by the Philippines Senate revealed that these accounts had been opened nine months earlier by two Chinese residents. Kim Wong (AKA Kam Sin Wong) claims that he only acted as an interpreter to assist two other Chinese nationals, Gao Shu Hua and Ding Zhi Ze, from Beijing and Macau.

Gao and Wong are "junket operators" who are among the many small boat captains who are thought to ferry gamblers between the casinos in Macau and the Philippines.

At least one Philippine Senator, Sergio Osmeña III, claims that this is a planned loop hole in the Anti-Money Laundering Act. Casinos lobbied the Senate heavily as the bill was being considered, and as a result, they are exempt from reporting suspicious financial transfers that most other commercial businesses are required to report.

RCBC & Maia Santos-Deguito

The Epoch Times reports that in at least one of these transfers, $22 Million was placed into the Jupiter Street branch of Philippines RCBC and $427,000 of those funds were withdrawn in cash and loaded into the car of Maia Santos Deguito, the brand manager. The withdrawal was handled by Deguito's assistant, Angela Torres, who had the money delivered by armored car, took the money and placed it in a box, which was then transferred to a paper bag and placed in the branch manager's car. GMA News picks up the story of testimony from bank employees ... A bank employee said in testimony that Deguito told him, "I would rather do this than me being killed or my family," claiming that her life had been threatened if she refused to participate in the illegal activity. But when deposed herself, Deguito says her life was never threatened. The transfers from the Federal Reserve Bank of New York came to RCBC accounts under the names Michael F. Cruz, Jessie C. Lagrosas, Alfred S. Vergara, and Enrico T. Vasquez. From there, $66M was withdrawn and consolidated into an account in the name of William So Go. Deguito claims that Kim Wong, the front man for the Chinese pair, was a "friend of bank President and CEO Lorenzo V. Tan." Tan denies this, although he admits having seen Wong on a number of occasions.

The Treasurer of RCBC, Raul Victor Tan, has resigned "out of decency and honor, and despite his lack of involvement." Branch Manager Deguito reported to him and is largely believed to be the main point of contact between the bank and Gao Shu Hua. RCBC's president was also placed on leave from March 23rd. The Central Bank Governor in Bangladesh, Atiur Rahman, has been forced to resign as well.

My security is so bad that I'm suing you!

According to The Epoch Times, the Bank of Bangladesh hired FireEye to investigate the situation. The initial FireEye report, released March 16th, indicated that at least 32 compromised assets had been identified that were part of a complex malware scheme for harvesting credentials needed for the SWIFT transfers and erasing logs of the activity in question.

In much the same way that small businesses have attempted to file lawsuits against their banks when their lack of security has led to malware infections that drained their accounts, the Bank of Bangladesh announced through Finance Minister AMA Muhith that they would sue the Federal Reserve Bank of New York. In Al-Jazeera, Muhith is quoted as saying "We've heard that Federal Reserve Bank of New York has completely denied their responsibility. They don't have any right."

But much like the small businesses who have lost those lawsuits once their ineptitude was put on display, Bank of Bangladesh may have trouble claiming the problem resided at the Fed. On Friday, April 22nd, Reuters and BBC both released stories exposing the horrible security at Bank of Bangladesh. The Reuters' headline read "Bangladesh Bank exposed to hackers by cheap switches, no firewall: police" while the BBC headline pronounced "$10 router blamed in Bangladesh bank hack". A forensic investigator working on the Bangladesh team, Mohammad Shah Alam, says the investigation was complicated by the lack of log files available on these discount routers, but the larger problem is the illustrated lack of any care about security that choosing such a device indicates in the first place. (It should be acknowledged that this contradicts the bank's statement that their firewall was penetrated by a sophisticated cyber attack:

Who can Join Our Network?

The bigger question raised in the Reuters story, though, is what responsibility should the western banking world hold in requesting to evaluate the security of those who would attach themselves to the trillions of dollars per day global financial markets? In the United States our regulations require that a holder of Personally Identifiable Information should require proof of the security of those they interact with in a wide variety of settings. HIPAA, the ruleset for protecting the privacy of your medical records, began requiring HIPAA-covered entities to take responsibility for the security of their vendors who may interact with sensitive records in 2013/2014. (See for example this story in IAPP -- "HIPAA Changes Mean Tightening Up Vendor Relationships"). In the same way the Payment Card Industry standard, PCI, that protects the privacy of credit card information also requires any covered entity to perform Due Diligence of their third party vendors (See their 47 page guidance on the subject, "Information Supplement: Third-Party Security Assurance").

So if my Hospital is not allowed to exchange patient data with an insurance company before checking the security of their networks, systems, and applications, and my Grocery Store is not allowed to exchange credit card information with a financial services company before checking the security their networks, systems, and applications, why would SWIFT and the Federal Reserve Bank system be allowed to move billions of dollars on behalf of banks that don't have a firewall and have $10 routers bought second hand off the Internet? SWIFT has announced they would be issuing "written guidance" to ensure their members are practicing proper security methods. Hopefully these are more robust than those in their 2012 Whitepaper "CPSS-IOSCO's Principles for Financial Market Infrastructures">. (To learn more see: SWIFT: Information Security)

Probably because we are trying to lower the barriers of entry to banks from depressed economies. "Is it fair" to require one of the poorest nations in the world to have to spend the same type of money that western nations spend on Internet security? Perhaps not. But until we do, these emerging economies are going to be a continual and growing target of the cyber criminals that are willing to invest "western-style" funds to accomplish heists that are truly worthy of a Hollywood movie.

Update 25APR2016 - BAE Analysis of SWIFT malware

Adrian Nish has published a blog post at BAE Systems Threat Research Blog Two Bytes to $951M where he documents the behavior of the malware that was likely used in the Bank of Bangladesh unauthorized SWIFT transfers. Malware that causes the SWIFT software running at the bank to bypass certain confirmations, and alter the print queue where messages are sent to hide the evidence of the transaction being performed. Great analysis! And making this attack far more advanced than the "didn't have a firewall" accusations being leveled.